CVE-2021-44549: 
Java vulnerability analysis and mitigation

Apache Sling Commons Messaging Mail 1.0, which provides a simple layer on top of JavaMail/Jakarta Mail for OSGi to send mails via SMTPS, was found to have a security vulnerability related to server identity verification. The vulnerability was discovered and disclosed in December 2021, affecting systems using version 1.0.0 of the software (NVD).

The vulnerability stems from the SimpleMailService component lacking an option to enable server identity checks for the shared mail session. While these additional checks are disabled by default in JavaMail/Jakarta Mail for compatibility reasons, the absence of an option to enable them increases the risk of man-in-the-middle attacks. The vulnerability has been assigned a CVSS v3.1 base score of 7.4 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating potential for high impact on confidentiality and integrity (NVD).

The vulnerability could potentially expose communications to man-in-the-middle attacks when accessing mail servers, potentially compromising the confidentiality and integrity of email communications. The lack of server identity verification could allow attackers to intercept or manipulate SMTPS communications (NVD).

The vulnerability has been addressed in Apache Sling Commons Messaging Mail 2.0, which adds support for enabling server identity checks and enables these checks by default. Users are recommended to upgrade to version 2.0 or later. For those unable to upgrade immediately, a workaround exists by manually enabling the checks through the SimpleMessageBuilder (Apache Advisory).